AWS Cloud
I'd like information about New Zealand Data Protection

New Zealand customers can run their applications and workloads in the Asia Pacific (Sydney) Region to reduce latency to the customer's end-users based in Australia and New Zealand while avoiding the up-front expenses, long-term commitments, and scaling challenges associated with maintaining and operating their own infrastructure.

We found that Amazon Web Services was continously innovating on top of their platform and providing us an advantage. 
Jim Watts Director of Online Hosting

Control the way you want to secure your data

Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

AWS customers choose the AWS Region or Regions in which their content and servers will be located. This allows customers with geographic specific requirements to establish environments in a location or locations of their choice. For example, while AWS does not currently have a Region in New Zealand, AWS customers in New Zealand can choose to deploy their AWS services exclusively in the Asia Pacific (Sydney) Region and store their content offshore in Australia. If the customer makes this choice, their content will be located in Australia unless the customer chooses to move that content.

Customers always retain control of which Region(s) are used to store and process their content. AWS only stores and processes each customers' content in the Region(s), and using the services, chosen by the customer, and otherwise will not move customer content except as legally required.

New Zealand, like most countries, has enacted legislation that enables New Zealand law enforcement and government security bodies to seek access to information, including the New Zealand Security Intelligence Service Act 1969 and the Government Communications Security Bureau. However, it is important to remember that these laws all contain criteria that must be satisfied before authorising access by the relevant government body. For example, the government agency seeking access will need to show it has a valid reason for requiring a party to provide access to content. Most importantly, access powers largely relate to law enforcement and counter-terrorism.

The main requirements for handling personal information are set out in the Information Privacy Principles (“IPPs”) which are part of the Privacy Act. The IPPs impose requirements for collecting, managing, using, disclosing and otherwise handling personal information collected from individuals in New Zealand.

The Privacy Act recognises a distinction between principals and agents. Where an entity (the agent) holds personal information for the sole purpose of storing or processing personal information on behalf of another entity (the principal) and does not use or disclose the personal information for its own purposes, the information is deemed to be held by the principal. In those circumstances, primary responsibility for compliance with the IPPs will rest with the principal.

For the full table on IPP requirements, click here

Given that when using AWS customers maintain management and control of their data, customers retain the responsibility to monitor their own environment for privacy breaches and to notify affected individuals as required under applicable law.

A customer’s AWS access keys can be used as an example to help explain why the customer rather than AWS is best placed to manage this responsibility. Customers control access keys, and determine who is authorized to access their AWS account. AWS does not have visibility of access keys, or who is and who is not authorized to log into an account. Therefore, the customer is responsible for monitoring use, misuse, distribution or loss of access keys.

At this time, it is not a mandatory requirement of the Privacy Act to notify individuals of unauthorized access to or disclosure of their personal information. Notification may be appropriate according to the Office of the New Zealand Privacy Commissioner’s guidance on privacy breaches. It is for the customer to determine when it is appropriate for them to notify individuals and the notification process they will follow.



Contact Us